Search code examples
azureazure-active-directory

How to use same value for AppRoles and oauth2Permissions with different Description and Display name?

My Azure AD application expose scope Roles.ReadWrite.All(Delegated permission). Now I want to use machine to machine communication, So I need to expose Application Permission. From the official documentation How to: Add app roles in your application and receive them in the token, I have created a AppRoles. Now I can give another application Application permission to the application.

But the issue is, I want to use the same value for Application Permission and Delegated Permission, As Microsoft is already doing this with their Microsoft Graph application's AccessReview.Read.All permission. But when I want to create appRoles, it shows an error -

Failed to update Backend API application. Error detail: It contains duplicate value. Please Provide unique value. []

I can only create same permission value if I keep the id, description and display name same for both appRoles and oauth2Permissions. But Microsoft Graph is using two different ID but the same value! 

...
"requiredResourceAccess": [
    {
        "resourceAppId": "00000003-0000-0000-c000-000000000000",
        "resourceAccess": [
            {
                "id": "ebfcd32b-babb-40f4-a14b-42706e83bd28", // AccessReview.Read.All
                "type": "Scope"
            },
            {
                "id": "d07a8cc0-3d51-4b77-b3b0-32704d1f69fa", // AccessReview.Read.All
                "type": "Role"
            }
        ]
    },
    {
        "resourceAppId": "96954c3d-fbb4-4899-be79-582b810acb7b",
        "resourceAccess": [
            {
                "id": "fbeb72c6-dfcb-45b6-b83a-db2929314e70",
                "type": "Scope"
            },
            {
                "id": "42b90870-bbe2-46c6-a221-4f8981c559ae", // Roles.ReadWrite.All
                "type": "Scope"
            },
            {
                "id": "42b90870-bbe2-46c6-a221-4f8981c559ae", // Roles.ReadWrite.All
                "type": "Role"
            }
        ]
    }
],
...

As it is shown in the above Manifest snippet, Graph API's AccessReview.Read.All has two different id for Delegated and Application permission, Where my Roles.ReadWrite.All has same ID as a result same Display Name and Description

Solution

  • I'm afraid that what you need is not supported currently.

    As you have tested, if we use the same value for "AppRoles" and "OAuth2Permission", it will show this error: It contains duplicate value. Please Provide unique value.

    When we set the same ID for "AppRoles" and "OAuth2Permission", we will be required to set the same value for (description, adminConsentDescription),(displayName, adminConsentDisplayName),(isEnabled, isEnabled),(origin, origin),(value, value).

    In this case, we can say that we get the same object for "AppRoles" and "OAuth2Permission". But it will not affect your use. The access token can return the correct Delegated permission or Application permission.